Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Virtumonde And Vundo


  • This topic is locked This topic is locked
23 replies to this topic

#1 SilveradoSS

SilveradoSS

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 02 November 2007 - 09:39 AM

Hello, I've been battling to get control of my PC back since an unauthorized download occured. Visited a website where something downloaded in the background without a prompt. Have been having undesired pop-ups, slow to freezing pc performance and an occasional install window popping up wanting to install something, I believe, was called "AV Scanner". I have ran all of the programs your website has requested and can't seem to get rid of the remaining undesirables. PC performance has improved after running all of the suggested programs. I am also running Spyware Terminator which has a real-time shield. According to it, there is a file (C:\Windows\SYSTEM32\DDABC.DLL) which is constantly trying to launch.

Below are the log files from Hijackthis and BitDefender:

HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:07:10 AM, on 11/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\LTMSG.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\SEC\MagicTune3.5_Client\GammaTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 72.13.247.82:3128
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: (no name) - {7D477888-1A71-42DB-8D2C-79C779B6946E} - C:\WINDOWS\system32\ddabc.dll
O2 - BHO: (no name) - {820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04} - C:\WINDOWS\system32\rqrrroo.dll
O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - C:\WINDOWS\system32\tvuwnwmu.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [5c15cdd3] rundll32.exe "C:\WINDOWS\system32\ntejefwx.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Color Calibration.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: MagicTune3.5.lnk = ?
O4 - Global Startup: NaturalColorLoad.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O16 - DPF: vzTCPConfig - http://www2.verizon.net/help/fios_settings...vzTCPConfig.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by109fd.bay109.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1192247881468
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1192247827593
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cab
O16 - DPF: {8BC53B30-32E4-4ED3-BEF9-DB761DB77453} (CInstallLPCtrl Object) - http://u3.sandisk.com/download/apps/LPInstaller.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/downloads/gamem...GameManager.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/games/web_...e/gpcontrol.cab
O20 - Winlogon Notify: qommjhe - C:\WINDOWS\
O20 - Winlogon Notify: rqrrroo - C:\WINDOWS\SYSTEM32\rqrrroo.dll
O20 - Winlogon Notify: vtuts - C:\WINDOWS\
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 6626 bytes



BitDefender Log

BitDefender Online Scanner



Scan report generated at: Fri, Nov 02, 2007 - 05:14:22





Scan path: A:\;C:\;D:\;E:\;F:\;G:\;H:\;I:\;J:\;K:\;







Statistics

Time
01:16:55

Files
358960

Folders
8206

Boot Sectors
3

Archives
14252

Packed Files
23110




Results

Identified Viruses
4

Infected Files
4

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
2




Engines Info

Virus Definitions
859921

Engine build
AVCORE v1.0 (build 2422) (i386) (Sep 25 2007 08:26:36)

Scan plugins
14

Archive plugins
38

Unpack plugins
7

E-mail plugins
6

System plugins
1




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP2\A0000135.exe
Infected with: Dropped:Generic.Malware.dld!!.A3D09FA5

C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP2\A0000135.exe
Disinfection failed

C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP2\A0000135.exe
Deleted

C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP2\A0000136.exe
Infected with: Generic.Malware.YBd.94DAB8AB

C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP2\A0000136.exe
Disinfection failed

C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP2\A0000136.exe
Deleted

C:\WINDOWS\system32\ddabc.dll
Detected with: Adware.Virtumonde.GGZ

C:\WINDOWS\system32\ddabc.dll
Disinfection failed

C:\WINDOWS\system32\ddabc.dll
Delete failed

C:\WINDOWS\system32\rqrrroo.dll
Infected with: Trojan.Vundo.DNZ

C:\WINDOWS\system32\rqrrroo.dll
Disinfection failed

C:\WINDOWS\system32\rqrrroo.dll
Delete failed

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:12 PM

Posted 02 November 2007 - 01:28 PM

HEllo SilveradoSS,

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt.
*******************

If you have used Combofix before, please delete the version you are having and redownload it again, because Combofix is being updated everyday.

Disconnect from the Internet while running ComboFix.

Temporarily disable any anti-virus and anti-malware real-time protection before performing a scan.
They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.



1. Download this file - combofix.exe to your Desktop.
Note:
It is important that it is saved directly to your desktop

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you, C:\ComboFix.txt. Post the ComboFix log and a fresh Hijackthis log in your next reply.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

Edited by SifuMike, 02 November 2007 - 01:29 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 SilveradoSS

SilveradoSS
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 02 November 2007 - 08:03 PM

Here are the contents of C:\vundofix.txt. I am currently running Combofix.

VundoFix V6.5.11

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 6:55:16 PM 11/2/2007

Listing files found while scanning....

C:\windows\system32\rqrrroo.dll
C:\WINDOWS\system32\tvuwnwmu.dll

Beginning removal...

Attempting to delete C:\windows\system32\rqrrroo.dll
C:\windows\system32\rqrrroo.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\tvuwnwmu.dll
C:\WINDOWS\system32\tvuwnwmu.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.11

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 7:43:30 PM 11/2/2007

Listing files found while scanning....

C:\windows\system32\rqrrroo.dll

Beginning removal...

Attempting to delete C:\windows\system32\rqrrroo.dll
C:\windows\system32\rqrrroo.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\windows\system32\rqrrroo.dll
C:\windows\system32\rqrrroo.dll Has been deleted!

Performing Repairs to the registry.
Done!

#4 SilveradoSS

SilveradoSS
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 02 November 2007 - 08:29 PM

Here is the ComboFix.txt report:

ComboFix 07-11-01.1 - Owner 2007-11-02 20:02:09.4 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\ISM2
C:\Temp\fCOe
C:\Temp\fCOe\tOasF.log
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\cbadd.bak1
C:\WINDOWS\system32\cbadd.bak2
C:\WINDOWS\system32\cbadd.ini
C:\WINDOWS\system32\ddabc.dll
C:\WINDOWS\system32\ntejefwx.dll
C:\WINDOWS\system32\oTt02e
C:\WINDOWS\system32\oTt06e
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\uvgtarhf.dll
C:\WINDOWS\system32\xwfejetn.ini

.
((((((((((((((((((((((((( Files Created from 2007-10-03 to 2007-11-03 )))))))))))))))))))))))))))))))
.

2007-11-02 19:55 82,496 --a------ C:\WINDOWS\system32\hqgscsyl.dll
2007-11-02 18:55 <DIR> d-------- C:\VundoFix Backups
2007-11-02 03:55 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-11-02 03:15 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-11-01 21:43 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\HouseCall 6.6
2007-11-01 21:41 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-10-29 22:37 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-29 22:09 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-10-29 22:09 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-10-29 22:09 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-10-29 22:09 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-10-29 22:09 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-10-29 06:06 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-10-29 06:05 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Spyware Terminator
2007-10-24 11:06 <DIR> d-------- C:\Program Files\KGB Archiver
2007-10-22 08:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2007-10-22 08:53 17,408 --a------ C:\psapi.dll
2007-10-22 08:49 16,384 --a------ C:\WINDOWS\xlavba3.exe
2007-10-22 08:49 41 --a------ C:\WINDOWS\plite731_uninstaller_.bat
2007-10-22 08:24 6,058,496 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-10-22 08:24 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-10-22 08:24 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-10-22 08:24 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-10-22 08:24 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-10-22 08:24 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2007-10-22 08:24 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-10-22 08:24 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-10-20 00:03 <DIR> d-------- C:\WINDOWS\system32\ffdshow
2007-10-20 00:03 <DIR> d-------- C:\Program Files\SourceTec
2007-10-18 21:23 <DIR> d-------- C:\Program Files\NCH Swift Sound
2007-10-18 21:23 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\NCH Swift Sound
2007-10-18 21:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2007-10-18 10:50 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-13 08:41 60,273 --a------ C:\WINDOWS\system32\pthreadGC2.dll
2007-10-13 08:41 7,680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-10-13 08:40 <DIR> d-------- C:\Program Files\ffdshow
2007-10-13 00:19 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Uniblue
2007-10-12 23:46 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-10-12 22:53 208,896 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2007-10-12 22:52 <DIR> d-------- C:\NVIDIA

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-02 14:43 --------- d-----w C:\Program Files\Spyware Terminator
2007-11-02 02:31 --------- d-----w C:\Documents and Settings\Owner\Application Data\Spyware Terminator
2007-11-01 12:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2007-10-31 04:07 --------- d-----w C:\Program Files\EMCO Malware Bouncer
2007-10-25 16:05 94,416 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-10-25 16:05 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-10-25 16:03 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-10-25 16:01 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-10-25 15:58 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-10-24 01:46 --------- d-----w C:\Program Files\MediaFACE II
2007-10-24 01:39 --------- d-----w C:\Program Files\Acoustica MP3 CD Burner
2007-10-22 13:10 --------- d-----w C:\Program Files\Yahoo!
2007-10-21 15:48 --------- d-----w C:\Program Files\QuickTime
2007-10-21 15:48 --------- d-----w C:\Program Files\Multimedia Card Reader
2007-10-21 15:48 --------- d-----w C:\Program Files\BearShare
2007-10-20 04:59 4,114 ----a-w C:\WINDOWS\viassary-hp.reg
2007-10-19 02:21 --------- d-----w C:\Program Files\Astonsoft
2007-10-18 16:38 138,624 ----a-w C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2007-10-18 13:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-18 11:50 --------- d-----w C:\Program Files\Dora`s Magic Castle
2007-10-14 23:15 --------- d-----w C:\Documents and Settings\Owner\Application Data\BitTorrent
2007-10-13 05:06 --------- d-----w C:\Program Files\Microsoft Works
2007-10-12 22:14 --------- d-----w C:\Program Files\BitTorrent
2007-09-28 03:54 --------- d-----w C:\Program Files\BearShare Test
2007-09-28 03:24 --------- d-----w C:\Program Files\eMule
2007-09-28 02:51 --------- d-----w C:\Program Files\BearShare Applications
2007-09-28 02:45 --------- d-----w C:\Program Files\Soulseek
2007-09-22 11:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-09-22 04:02 --------- d-----w C:\Program Files\DVDFab HD Decrypter 3
2007-09-15 23:29 --------- d-----w C:\Program Files\Any Video Converter
2007-09-14 15:16 --------- d-----w C:\Program Files\Audacity 1.3 Beta
2007-09-04 02:38 --------- d-----w C:\Program Files\IrfanView
2005-12-07 16:27 784 ----a-w C:\Documents and Settings\Owner\Application Data\mpauth.dat
2007-04-20 04:28:13 1,373,003 --sha-w C:\WINDOWS\system32\knnmp.bak1
2007-04-21 01:32:27 1,381,145 --sha-w C:\WINDOWS\system32\knnmp.ini2
2007-05-31 17:02:51 1,541,369 --sh--w C:\WINDOWS\system32\stutv.bak1
2007-06-01 14:03:40 1,554,267 --sh--w C:\WINDOWS\system32\stutv.ini2
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 61,440 2003-02-12 03:02:48 C:\hp\KBD\bak\KBD.EXE

----a-w 40,048 2007-05-11 08:06:32 C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe

----a-w 79,224 2007-09-06 10:06:09 C:\Program Files\Alwil Software\Avast4\bak\ashDisp.exe
----a-w 79,224 2007-10-25 15:20:44 C:\Program Files\Alwil Software\Avast4\ashDisp.exe

----a-w 3,223,552 2005-09-15 21:54:16 C:\Program Files\BearShare\bak\BearShare.exe

----a-w 3,223,552 2005-09-06 19:49:18 C:\Program Files\BearShare Test\bak\BearShare.exe
----a-w 3,223,552 2005-09-06 19:49:18 C:\Program Files\BearShare Test\BearShare.exe

----a-w 81,920 2005-08-11 21:30:30 C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe

----a-w 180,269 2004-12-17 05:09:54 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe

----a-w 32,768 2004-01-09 09:34:10 C:\Program Files\HP\Digital Imaging\bin\bak\backupnotify.exe

----a-w 49,152 2005-02-17 04:11:42 C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe

----a-w 241,664 2005-01-12 19:54:58 C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe

----a-w 49,152 2003-08-21 11:23:08 C:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\bak\hphupd05.exe

----a-w 53,248 2004-09-03 16:14:02 C:\Program Files\HP DVD\Umbrella\bak\DVDTray.exe

----a-w 135,168 2003-10-29 18:17:30 C:\Program Files\Multimedia Card Reader\bak\shwicon2k.exe

----a-w 282,624 2006-10-26 00:58:18 C:\Program Files\QuickTime\bak\qttask.exe

----a-w 2,506,752 2005-02-24 18:57:30 C:\Program Files\Yahoo!\Messenger\bak\ypager.exe

----a-w 221,184 2003-11-04 00:50:40 C:\WINDOWS\SMINST\bak\RECGUARD.EXE

----a-w 181 2007-10-18 16:04:27 C:\WINDOWS\system\bak\hpsysdrv.DAT
----a-w 186 2007-09-28 02:46:45 C:\WINDOWS\system\hpsysdrv.DAT

----a-w 52,736 1998-05-08 00:04:38 C:\WINDOWS\system\bak\hpsysdrv.exe

----a-w 15,360 2004-08-04 07:56:48 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 07:56:48 C:\WINDOWS\system32\ctfmon.exe

----a-w 483,328 2003-08-21 11:15:48 C:\WINDOWS\system32\bak\hphmon05.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c6d93001-f1fb-44eb-8a17-3a14f0e3687a}]
2007-11-02 19:55 82496 --a------ C:\WINDOWS\system32\hqgscsyl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LTMSG"="LTMSG.exe" [2003-07-14 20:52 C:\WINDOWS\ltmsg.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-10-25 10:20]
"nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 12:22]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2007-08-19 20:56]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RecordNow!"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Color Calibration.lnk - C:\Program Files\SEC\MagicTune3.5_Client\GammaTray.exe [2005-12-25 20:33:17]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 15:19:24]
MagicTune3.5.lnk - C:\Program Files\SEC\MagicTune3.5_Client\MagicTuneTray.exe [2005-12-25 20:33:36]
NaturalColorLoad.lnk - C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe [2005-12-25 20:32:29]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"=0 (0x0)
"Btn_Search"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qommjhe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuts]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\ddabc.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime

R1 sp_rsdrv2;Spyware Terminator Driver 2;\??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
S3 AMDPCI;AMDPCI;\??\C:\DOCUME~1\Owner\LOCALS~1\Temp\AMDPCI.sys
S3 firewall;firewall;\??\C:\Program Files\Foxie Suite\firewall.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-02 06:36:00 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2005-01-19 23:46:42 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-02 20:10:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-02 20:20:16 - machine was rebooted
C:\ComboFix2.txt ... 2007-10-22 09:54
C:\ComboFix3.txt ... 2007-10-18 11:23
.
--- E O F ---

#5 SilveradoSS

SilveradoSS
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 02 November 2007 - 08:30 PM

And finally, the Hijackthis.txt log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:24:13 PM, on 11/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\LTMSG.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 72.13.247.82:3128
O2 - BHO: {a7863e0f-41a3-71a8-be44-bf1f10039d6c} - {c6d93001-f1fb-44eb-8a17-3a14f0e3687a} - C:\WINDOWS\system32\hqgscsyl.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Color Calibration.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: MagicTune3.5.lnk = ?
O4 - Global Startup: NaturalColorLoad.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O16 - DPF: vzTCPConfig - http://www2.verizon.net/help/fios_settings...vzTCPConfig.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by109fd.bay109.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1192247881468
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1192247827593
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cab
O16 - DPF: {8BC53B30-32E4-4ED3-BEF9-DB761DB77453} (CInstallLPCtrl Object) - http://u3.sandisk.com/download/apps/LPInstaller.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/downloads/gamem...GameManager.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/games/web_...e/gpcontrol.cab
O20 - Winlogon Notify: qommjhe - C:\WINDOWS\
O20 - Winlogon Notify: vtuts - C:\WINDOWS\
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 6218 bytes

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:12 PM

Posted 02 November 2007 - 09:50 PM

Hi SilveradoSS,

This is one of the heaviest infected computer I have seen in quite a few days. :wacko:
You get a prize for being most infected - a concrete bycycle. LOL

Not only do you have a nasy vundo infection, but you also have a equally nasty AWF infection.
You have had the Vundo infection on this computer since April.

I see you are using BitTorrent , BearShare and Emule Peer to Peer programs. :thumbsup:
Any peer-to-peer file swapping program, such as Audiogalaxy, Bearshare, Blubster, E-Mule, Gnucleus, Grokster, Imesh, KaZaa, KaZaa Lite, Limewire, Morpheus, Shareaza, WinMX and Xolox can degrade system performance and consume vast amounts of storage and may create security issues as outsiders are granted access to internal files. They are often bundled with adware or spyware. Lately they have been used for identity theft.

I recommend you uninstall them, as they are too risky.



Download CCleaner and install it. (default location is best). Do not run it yet!

CCleaner Tutorial

*******************************************

Select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix checked"

O2 - BHO: {a7863e0f-41a3-71a8-be44-bf1f10039d6c} - {c6d93001-f1fb-44eb-8a17-3a14f0e3687a} - C:\WINDOWS\system32\hqgscsyl.dll
O20 - Winlogon Notify: qommjhe - C:\WINDOWS\
O20 - Winlogon Notify: vtuts - C:\WINDOWS\


*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

CAUTION: Please do NOT use the Issues or Registry button. This is a built-in registry cleaner. If you don't know how to use it, you may cause irreparable damage to your system.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
Clean all entries in the "Internet Explorer" section except Autocomplete Forum History.
Clean all the entries in the "Windows Explorer" section.
Clean all entries in the "System" section except for Start Menu Shortcuts and Desktop Shortcuts.
Clean any others that you choose.

In the Applications Tab:
Clean all including cookies in the Firefox/Mozilla section if you use it.
Clean all in the Opera section if you use it.
Clean Sun Java in the Internet Section.
Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************


Reboot your computer.


Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
C:\WINDOWS\system32\hqgscsyl.dll 
C:\WINDOWS\system32\knnmp.bak1
C:\WINDOWS\system32\knnmp.ini2
C:\WINDOWS\system32\stutv.bak1
C:\WINDOWS\system32\stutv.ini2
C:\Documents and Settings\Owner\LOCALS SETTINGS\Temp\AMDPCI.sys

Registry:: 
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c6d93001-f1fb-44eb-8a17-3a14f0e3687a}]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

Driver:: 
AMDPCI


Name the Notepad file CFScript.txt and Save it to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.


Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

We have not even begun to go after the AWF infection yet. It is quite a lengthy removal process. :blink:

Edited by SifuMike, 02 November 2007 - 09:51 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 SilveradoSS

SilveradoSS
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 03 November 2007 - 12:20 AM

Wow SifuMike, huge improvement in PC performance since performing the functions you requested! Thanks!


Here is the latest ComboFix log:

ComboFix 07-11-01.1 - Owner 2007-11-02 23:52:39.5 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\Documents and Settings\Owner\LOCALS SETTINGS\Temp\AMDPCI.sys
C:\WINDOWS\system32\hqgscsyl.dll
C:\WINDOWS\system32\knnmp.bak1
C:\WINDOWS\system32\knnmp.ini2
C:\WINDOWS\system32\stutv.bak1
C:\WINDOWS\system32\stutv.ini2
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\hqgscsyl.dll
C:\WINDOWS\system32\knnmp.bak1
C:\WINDOWS\system32\knnmp.ini2
C:\WINDOWS\system32\stutv.bak1
C:\WINDOWS\system32\stutv.ini2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_AMDPCI
-------\AMDPCI


((((((((((((((((((((((((( Files Created from 2007-10-03 to 2007-11-03 )))))))))))))))))))))))))))))))
.

2007-11-02 23:36 <DIR> d-------- C:\Program Files\CCleaner
2007-11-02 18:55 <DIR> d-------- C:\VundoFix Backups
2007-11-02 03:55 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-11-02 03:15 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-11-01 21:43 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\HouseCall 6.6
2007-11-01 21:41 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-10-29 22:37 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-29 22:09 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-10-29 22:09 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-10-29 22:09 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-10-29 22:09 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-10-29 22:09 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-10-29 06:06 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-10-29 06:05 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Spyware Terminator
2007-10-24 11:06 <DIR> d-------- C:\Program Files\KGB Archiver
2007-10-22 08:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2007-10-22 08:53 17,408 --a------ C:\psapi.dll
2007-10-22 08:49 16,384 --a------ C:\WINDOWS\xlavba3.exe
2007-10-22 08:49 41 --a------ C:\WINDOWS\plite731_uninstaller_.bat
2007-10-22 08:24 6,058,496 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-10-22 08:24 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-10-22 08:24 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-10-22 08:24 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-10-22 08:24 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-10-22 08:24 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2007-10-22 08:24 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-10-22 08:24 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-10-20 00:03 <DIR> d-------- C:\WINDOWS\system32\ffdshow
2007-10-20 00:03 <DIR> d-------- C:\Program Files\SourceTec
2007-10-18 21:23 <DIR> d-------- C:\Program Files\NCH Swift Sound
2007-10-18 21:23 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\NCH Swift Sound
2007-10-18 21:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2007-10-18 10:50 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-13 08:41 60,273 --a------ C:\WINDOWS\system32\pthreadGC2.dll
2007-10-13 08:41 7,680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-10-13 08:40 <DIR> d-------- C:\Program Files\ffdshow
2007-10-13 00:19 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Uniblue
2007-10-12 23:46 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-10-12 22:53 208,896 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2007-10-12 22:52 <DIR> d-------- C:\NVIDIA

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-03 04:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-02 14:43 --------- d-----w C:\Program Files\Spyware Terminator
2007-11-02 02:31 --------- d-----w C:\Documents and Settings\Owner\Application Data\Spyware Terminator
2007-11-01 12:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2007-10-31 04:07 --------- d-----w C:\Program Files\EMCO Malware Bouncer
2007-10-25 16:05 94,416 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-10-25 16:05 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-10-25 16:03 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-10-25 16:01 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-10-25 15:58 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-10-24 01:46 --------- d-----w C:\Program Files\MediaFACE II
2007-10-24 01:39 --------- d-----w C:\Program Files\Acoustica MP3 CD Burner
2007-10-22 13:10 --------- d-----w C:\Program Files\Yahoo!
2007-10-21 15:48 --------- d-----w C:\Program Files\QuickTime
2007-10-21 15:48 --------- d-----w C:\Program Files\Multimedia Card Reader
2007-10-21 15:48 --------- d-----w C:\Program Files\BearShare
2007-10-20 04:59 4,114 ----a-w C:\WINDOWS\viassary-hp.reg
2007-10-19 02:21 --------- d-----w C:\Program Files\Astonsoft
2007-10-18 16:38 138,624 ----a-w C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2007-10-18 11:50 --------- d-----w C:\Program Files\Dora`s Magic Castle
2007-10-14 23:15 --------- d-----w C:\Documents and Settings\Owner\Application Data\BitTorrent
2007-10-13 05:06 --------- d-----w C:\Program Files\Microsoft Works
2007-10-12 22:14 --------- d-----w C:\Program Files\BitTorrent
2007-09-28 03:54 --------- d-----w C:\Program Files\BearShare Test
2007-09-28 03:24 --------- d-----w C:\Program Files\eMule
2007-09-28 02:51 --------- d-----w C:\Program Files\BearShare Applications
2007-09-28 02:45 --------- d-----w C:\Program Files\Soulseek
2007-09-22 11:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-09-22 04:02 --------- d-----w C:\Program Files\DVDFab HD Decrypter 3
2007-09-15 23:29 --------- d-----w C:\Program Files\Any Video Converter
2007-09-14 15:16 --------- d-----w C:\Program Files\Audacity 1.3 Beta
2007-09-04 02:38 --------- d-----w C:\Program Files\IrfanView
2005-12-07 16:27 784 ----a-w C:\Documents and Settings\Owner\Application Data\mpauth.dat
.

((((((((((((((((((((((((((((( snapshot@2007-11-02_20.14.09.89 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-03-13 15:57:10 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2007-11-03 04:59:50 16,384 ----atw C:\WINDOWS\temp\Perflib_Perfdata_670.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 61,440 2003-02-12 03:02:48 C:\hp\KBD\bak\KBD.EXE

----a-w 40,048 2007-05-11 08:06:32 C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe

----a-w 79,224 2007-09-06 10:06:09 C:\Program Files\Alwil Software\Avast4\bak\ashDisp.exe
----a-w 79,224 2007-10-25 15:20:44 C:\Program Files\Alwil Software\Avast4\ashDisp.exe

----a-w 3,223,552 2005-09-15 21:54:16 C:\Program Files\BearShare\bak\BearShare.exe

----a-w 3,223,552 2005-09-06 19:49:18 C:\Program Files\BearShare Test\bak\BearShare.exe
----a-w 3,223,552 2005-09-06 19:49:18 C:\Program Files\BearShare Test\BearShare.exe

----a-w 81,920 2005-08-11 21:30:30 C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe

----a-w 180,269 2004-12-17 05:09:54 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe

----a-w 32,768 2004-01-09 09:34:10 C:\Program Files\HP\Digital Imaging\bin\bak\backupnotify.exe

----a-w 49,152 2005-02-17 04:11:42 C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe

----a-w 241,664 2005-01-12 19:54:58 C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe

----a-w 49,152 2003-08-21 11:23:08 C:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\bak\hphupd05.exe

----a-w 53,248 2004-09-03 16:14:02 C:\Program Files\HP DVD\Umbrella\bak\DVDTray.exe

----a-w 135,168 2003-10-29 18:17:30 C:\Program Files\Multimedia Card Reader\bak\shwicon2k.exe

----a-w 282,624 2006-10-26 00:58:18 C:\Program Files\QuickTime\bak\qttask.exe

----a-w 2,506,752 2005-02-24 18:57:30 C:\Program Files\Yahoo!\Messenger\bak\ypager.exe

----a-w 221,184 2003-11-04 00:50:40 C:\WINDOWS\SMINST\bak\RECGUARD.EXE

----a-w 181 2007-10-18 16:04:27 C:\WINDOWS\system\bak\hpsysdrv.DAT
----a-w 186 2007-09-28 02:46:45 C:\WINDOWS\system\hpsysdrv.DAT

----a-w 52,736 1998-05-08 00:04:38 C:\WINDOWS\system\bak\hpsysdrv.exe

----a-w 15,360 2004-08-04 07:56:48 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 07:56:48 C:\WINDOWS\system32\ctfmon.exe

----a-w 483,328 2003-08-21 11:15:48 C:\WINDOWS\system32\bak\hphmon05.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LTMSG"="LTMSG.exe" [2003-07-14 20:52 C:\WINDOWS\ltmsg.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-10-25 10:20]
"nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 12:22]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2007-08-19 20:56]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RecordNow!"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Color Calibration.lnk - C:\Program Files\SEC\MagicTune3.5_Client\GammaTray.exe [2005-12-25 20:33:17]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 15:19:24]
MagicTune3.5.lnk - C:\Program Files\SEC\MagicTune3.5_Client\MagicTuneTray.exe [2005-12-25 20:33:36]
NaturalColorLoad.lnk - C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe [2005-12-25 20:32:29]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"=0 (0x0)
"Btn_Search"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime

R1 sp_rsdrv2;Spyware Terminator Driver 2;\??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
S3 firewall;firewall;\??\C:\Program Files\Foxie Suite\firewall.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-02 06:36:00 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2005-01-19 23:46:42 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-03 00:00:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-03 0:09:03 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-02 20:20
C:\ComboFix3.txt ... 2007-10-22 09:54
.
--- E O F ---




And here is the latest Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:14:21 AM, on 11/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\LTMSG.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SEC\MagicTune3.5_Client\GammaTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 72.13.247.82:3128
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Color Calibration.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: MagicTune3.5.lnk = ?
O4 - Global Startup: NaturalColorLoad.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O16 - DPF: vzTCPConfig - http://www2.verizon.net/help/fios_settings...vzTCPConfig.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by109fd.bay109.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1192247881468
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1192247827593
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cab
O16 - DPF: {8BC53B30-32E4-4ED3-BEF9-DB761DB77453} (CInstallLPCtrl Object) - http://u3.sandisk.com/download/apps/LPInstaller.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/downloads/gamem...GameManager.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/games/web_...e/gpcontrol.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 6059 bytes

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:12 PM

Posted 03 November 2007 - 12:59 AM

Hi SilveradoSS,

Looks better, but we still have quite a ways to go to clean up your computer.


Download FindAWF:
http://noahdfear.net/downloads/FindAWF.exe
Save the file to the Desktop
Double-click the FindAWF icon.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 1 then Enter to scan for bak folders
The scan may take a while, please be patient.

When done, a text file, Find AWF report is produced that we need to look at.
Please post it in your reply.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 SilveradoSS

SilveradoSS
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 03 November 2007 - 08:41 AM

SifuMike,

Here is the Find AWF report:



Find AWF report by noahdfear 2006
Version 1.40

The current date is: Sat 11/03/2007
The current time is: 2:50:54.53


bak folders found
~~~~~~~~~~~


Directory of C:\HP\KBD\BAK

02/11/2003 10:02 PM 61,440 KBD.EXE
1 File(s) 61,440 bytes

Directory of C:\PROGRA~1\BEARSH~1\BAK

09/15/2005 04:54 PM 3,223,552 BearShare.exe
1 File(s) 3,223,552 bytes

Directory of C:\PROGRA~1\BEARSH~2\BAK

09/06/2005 02:49 PM 3,223,552 BearShare.exe
1 File(s) 3,223,552 bytes

Directory of C:\PROGRA~1\MULTIM~1\BAK

10/29/2003 01:17 PM 135,168 shwicon2k.exe
1 File(s) 135,168 bytes

Directory of C:\PROGRA~1\QUICKT~2\BAK

10/25/2006 07:58 PM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\WINDOWS\SMINST\BAK

11/03/2003 07:50 PM 221,184 RECGUARD.EXE
1 File(s) 221,184 bytes

Directory of C:\WINDOWS\SYSTEM\BAK

10/18/2007 11:04 AM 181 hpsysdrv.DAT
05/07/1998 07:04 PM 52,736 hpsysdrv.exe
2 File(s) 52,917 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 02:56 AM 15,360 ctfmon.exe
08/21/2003 06:15 AM 483,328 hphmon05.exe
2 File(s) 498,688 bytes

Directory of C:\PROGRA~1\ALWILS~1\AVAST4\BAK

09/06/2007 05:06 AM 79,224 ashDisp.exe
1 File(s) 79,224 bytes

Directory of C:\PROGRA~1\HP\HPCORE~1\BAK

01/12/2005 02:54 PM 241,664 hpcmpmgr.exe
1 File(s) 241,664 bytes

Directory of C:\PROGRA~1\HP\HPSOFT~1\BAK

02/16/2005 11:11 PM 49,152 HPWuSchd2.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\HP\{45B61~1\BAK

08/21/2003 06:23 AM 49,152 hphupd05.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\HPDVD~1\UMBRELLA\BAK

09/03/2004 11:14 AM 53,248 DVDTray.exe
1 File(s) 53,248 bytes

Directory of C:\PROGRA~1\YAHOO!\MESSEN~1\BAK

02/24/2005 01:57 PM 2,506,752 ypager.exe
1 File(s) 2,506,752 bytes

Directory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK

05/11/2007 03:06 AM 40,048 Reader_sl.exe
1 File(s) 40,048 bytes

Directory of C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\BAK

08/11/2005 04:30 PM 81,920 issch.exe
1 File(s) 81,920 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

12/17/2004 12:09 AM 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\HP\DIGITA~1\BIN\BAK

01/09/2004 04:34 AM 32,768 backupnotify.exe
1 File(s) 32,768 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

61440 Feb 11 2003 "C:\hp\KBD\bak\KBD.EXE"
3223552 Sep 6 2005 "C:\Program Files\BearShare Test\BearShare.exe"
3223552 Sep 15 2005 "C:\Program Files\BearShare\bak\BearShare.exe"
3223552 Sep 6 2005 "C:\Program Files\BearShare Test\bak\BearShare.exe"
3223552 Sep 6 2005 "C:\Program Files\BearShare Test\BearShare.exe"
3223552 Sep 15 2005 "C:\Program Files\BearShare\bak\BearShare.exe"
3223552 Sep 6 2005 "C:\Program Files\BearShare Test\bak\BearShare.exe"
135168 Oct 29 2003 "C:\Program Files\Multimedia Card Reader\bak\shwicon2k.exe"
282624 Oct 25 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
221184 Nov 3 2003 "C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
186 Sep 27 2007 "C:\WINDOWS\system\hpsysdrv.DAT"
181 Oct 18 2007 "C:\WINDOWS\system\bak\hpsysdrv.DAT"
52736 May 7 1998 "C:\WINDOWS\system\bak\hpsysdrv.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
483328 Aug 21 2003 "C:\WINDOWS\system32\bak\hphmon05.exe"
79224 Oct 25 2007 "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
79224 Sep 6 2007 "C:\Program Files\Alwil Software\Avast4\bak\ashDisp.exe"
241664 Jan 12 2005 "C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe"
49152 Feb 16 2005 "C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
49152 Aug 21 2003 "C:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\bak\hphupd05.exe"
53248 Sep 3 2004 "C:\Program Files\HP DVD\Umbrella\bak\DVDTray.exe"
2506752 Feb 24 2005 "C:\Program Files\Yahoo!\Messenger\bak\ypager.exe"
40048 May 11 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
81920 Aug 11 2005 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe"
180269 Dec 17 2004 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
32768 Jan 9 2004 "C:\Program Files\HP\Digital Imaging\bin\bak\backupnotify.exe"


end of report

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:12 PM

Posted 03 November 2007 - 02:31 PM

Hi SilveradoSS,

Please double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 2 then Enter to restore files from bak folders

A text file opens called: files.txt
Click below the line and paste the following list of files to be restored:


"C:\hp\KBD\bak\KBD.EXE"
"C:\Program Files\BearShare Test\bak\BearShare.exe"
"C:\Program Files\Multimedia Card Reader\bak\shwicon2k.exe"
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
"C:\WINDOWS\system\bak\hpsysdrv.exe"
"C:\WINDOWS\system32\bak\hphmon05.exe"
"C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe"
"C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
"C:\Program Files\HP DVD\Umbrella\bak\DVDTray.exe"
"C:\Program Files\Yahoo!\Messenger\bak\ypager.exe"
"C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
"C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe"
"C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
"C:\Program Files\HP\Digital Imaging\bin\bak\backupnotify.exe"


Next, close and click Yes to save the changes.

Once files.txt is saved, FindAWF does the following:
-It attempts to terminate the process represented by each filename on the list, if running
-Deletes the rogue file from the parent folder, if present
-Copies the original file to the parent folder

When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 SilveradoSS

SilveradoSS
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 03 November 2007 - 07:25 PM

Done!


Find AWF report by noahdfear 2006
Version 1.40
Option 2 run successfully

The current date is: Sat 11/03/2007
The current time is: 19:16:04.70


bak folders found
~~~~~~~~~~~


Directory of C:\HP\KBD\BAK

02/11/2003 10:02 PM 61,440 KBD.EXE
1 File(s) 61,440 bytes

Directory of C:\PROGRA~1\BEARSH~1\BAK

09/15/2005 04:54 PM 3,223,552 BearShare.exe
1 File(s) 3,223,552 bytes

Directory of C:\PROGRA~1\BEARSH~2\BAK

09/06/2005 02:49 PM 3,223,552 BearShare.exe
1 File(s) 3,223,552 bytes

Directory of C:\PROGRA~1\MULTIM~1\BAK

10/29/2003 01:17 PM 135,168 shwicon2k.exe
1 File(s) 135,168 bytes

Directory of C:\PROGRA~1\QUICKT~2\BAK

10/25/2006 07:58 PM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\WINDOWS\SMINST\BAK

11/03/2003 07:50 PM 221,184 RECGUARD.EXE
1 File(s) 221,184 bytes

Directory of C:\WINDOWS\SYSTEM\BAK

10/18/2007 11:04 AM 181 hpsysdrv.DAT
05/07/1998 07:04 PM 52,736 hpsysdrv.exe
2 File(s) 52,917 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 02:56 AM 15,360 ctfmon.exe
08/21/2003 06:15 AM 483,328 hphmon05.exe
2 File(s) 498,688 bytes

Directory of C:\PROGRA~1\ALWILS~1\AVAST4\BAK

09/06/2007 05:06 AM 79,224 ashDisp.exe
1 File(s) 79,224 bytes

Directory of C:\PROGRA~1\HP\HPCORE~1\BAK

01/12/2005 02:54 PM 241,664 hpcmpmgr.exe
1 File(s) 241,664 bytes

Directory of C:\PROGRA~1\HP\HPSOFT~1\BAK

02/16/2005 11:11 PM 49,152 HPWuSchd2.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\HP\{45B61~1\BAK

08/21/2003 06:23 AM 49,152 hphupd05.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\HPDVD~1\UMBRELLA\BAK

09/03/2004 11:14 AM 53,248 DVDTray.exe
1 File(s) 53,248 bytes

Directory of C:\PROGRA~1\YAHOO!\MESSEN~1\BAK

02/24/2005 01:57 PM 2,506,752 ypager.exe
1 File(s) 2,506,752 bytes

Directory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK

05/11/2007 03:06 AM 40,048 Reader_sl.exe
1 File(s) 40,048 bytes

Directory of C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\BAK

08/11/2005 04:30 PM 81,920 issch.exe
1 File(s) 81,920 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

12/17/2004 12:09 AM 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\HP\DIGITA~1\BIN\BAK

01/09/2004 04:34 AM 32,768 backupnotify.exe
1 File(s) 32,768 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

61440 Feb 11 2003 "C:\hp\KBD\KBD.EXE"
61440 Feb 11 2003 "C:\hp\KBD\bak\KBD.EXE"
3223552 Sep 6 2005 "C:\Program Files\BearShare Test\BearShare.exe"
3223552 Sep 15 2005 "C:\Program Files\BearShare\bak\BearShare.exe"
3223552 Sep 6 2005 "C:\Program Files\BearShare Test\bak\BearShare.exe"
3223552 Sep 6 2005 "C:\Program Files\BearShare Test\BearShare.exe"
3223552 Sep 15 2005 "C:\Program Files\BearShare\bak\BearShare.exe"
3223552 Sep 6 2005 "C:\Program Files\BearShare Test\bak\BearShare.exe"
135168 Oct 29 2003 "C:\Program Files\Multimedia Card Reader\shwicon2k.exe"
135168 Oct 29 2003 "C:\Program Files\Multimedia Card Reader\bak\shwicon2k.exe"
282624 Oct 25 2006 "C:\Program Files\QuickTime\qttask.exe"
282624 Oct 25 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
221184 Nov 3 2003 "C:\WINDOWS\SMINST\RECGUARD.EXE"
221184 Nov 3 2003 "C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
186 Sep 27 2007 "C:\WINDOWS\system\hpsysdrv.DAT"
181 Oct 18 2007 "C:\WINDOWS\system\bak\hpsysdrv.DAT"
52736 May 7 1998 "C:\WINDOWS\system\hpsysdrv.exe"
52736 May 7 1998 "C:\WINDOWS\system\bak\hpsysdrv.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
483328 Aug 21 2003 "C:\WINDOWS\system32\hphmon05.exe"
483328 Aug 21 2003 "C:\WINDOWS\system32\bak\hphmon05.exe"
79224 Oct 25 2007 "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
79224 Sep 6 2007 "C:\Program Files\Alwil Software\Avast4\bak\ashDisp.exe"
241664 Jan 12 2005 "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
241664 Jan 12 2005 "C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe"
49152 Feb 16 2005 "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
49152 Feb 16 2005 "C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
49152 Aug 21 2003 "C:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\bak\hphupd05.exe"
53248 Sep 3 2004 "C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
53248 Sep 3 2004 "C:\Program Files\HP DVD\Umbrella\bak\DVDTray.exe"
2506752 Feb 24 2005 "C:\Program Files\Yahoo!\Messenger\ypager.exe"
2506752 Feb 24 2005 "C:\Program Files\Yahoo!\Messenger\bak\ypager.exe"
40048 May 11 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
40048 May 11 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
81920 Aug 11 2005 "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe"
81920 Aug 11 2005 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe"
180269 Dec 17 2004 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
180269 Dec 17 2004 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
32768 Jan 9 2004 "C:\Program Files\HP\Digital Imaging\bin\backupnotify.exe"
32768 Jan 9 2004 "C:\Program Files\HP\Digital Imaging\bin\bak\backupnotify.exe"


end of report

#12 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:12 PM

Posted 03 November 2007 - 07:53 PM

Hi SilveradoSS,

Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Reboot your computer <==== Important

Post back when you have done the above and we will continue.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 SilveradoSS

SilveradoSS
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 03 November 2007 - 08:09 PM

SifuMike, ran ATF Cleaner and have rebooted PC.

#14 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:12 PM

Posted 03 November 2007 - 08:12 PM

Hi SilveradoSS,

OK, give me a few minutes to create next fix. I will be back shortly. :thumbsup:
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:12 PM

Posted 03 November 2007 - 08:30 PM

Hi SilveradoSS,

This time we are going to remove some folders. :thumbsup:

Please double-click the FindAWF icon once again


If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 3 then Enter to remove bak folders

A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:

C:\hp\KBD\bak
C:\Program Files\BearShare\bak
C:\Program Files\BearShare Test\bak
C:\Program Files\Multimedia Card Reader\bak
C:\Program Files\QuickTime\bak
C:\WINDOWS\SMINST\bak
C:\WINDOWS\system\bak
C:\WINDOWS\system32\bak
C:\Program Files\Alwil Software\Avast4\bak
C:\Program Files\HP\hpcoretech\bak
C:\Program Files\HP\HP Software Update\bak
C:\Program Files\HP DVD\Umbrella\bak
C:\Program Files\Yahoo!\Messenger\bak
C:\Program Files\Adobe\Reader 8.0\Reader\bak
C:\Program Files\Common Files\InstallShield\UpdateService\bak
C:\Program Files\Common Files\Real\Update_OB\bak
C:\Program Files\HP\Digital Imaging\bin\bak\


Next, close and click Yes to save the changes.

When done with the above, FindAWF automatically runs a new scan and opens a new log that you need to post.
Please provide the new FindAWF log in your reply
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users